Haxposure – threat of being exposed

Nick FitzGerald of ESET Asia Pacific explains what is haxposure and why organisations should pay attention to it.

This vendor-written piece has been edited by Executive Networks Media to eliminate product promotion, but readers should note it will likely favour the submitter's approach.

Over the past decade, the cyber threat landscape across Asia Pacific and the world has evolved dramatically, seeing an escalation in both the number of attacks targeting individuals and businesses, and also the level of sophistication of such attacks.

More recently, a new malicious trend has caught the attention of ESET researchers, highlighting that monetary gain is not the only motivation for hackers today.

Dubbed 'haxposure' by our research teams, these attacks, involve cybercriminals stealing sensitive information in order to release it to the world.

While data theft cases are common in the cybersecurity world, haxposure, unlike other threats, is the combination of criminal data theft via hacking, followed by public exposure of the content, without a monetary incentive.

Cases of hackers using these tactics made headlines in July last year, when a group calling itself 'The Impact Team' stole user data from Ashley Madison, a commercial website which connects men and women seeking extramarital affairs. The group stole the personal information of users of the website, threatening to make the information public unless the site was shut down. When that did not happen, the group released the information, causing public outrage and providing evidence for lawsuits against the company.

Similarly, in another attack which took place last year, Hacking Team, an Italian security company which sells intrusion and surveillance tools to governments and law enforcement agencies, saw 400GB of emails, documents and source code stolen by hackers. The information was then made public via the Hacking Team's own Twitter feed, purportedly revealing that the company sold software to oppressive regimes.

What the Hacking Team and Ashley Madison incidents have in common is that a security breach led to the exposure of secrets that were extremely damaging to the organisations in question. Not only this, but in both cases, it appears that the groups behind the attacks may have been ethically motivated.

Another case that gained extensive limelight, was the devastating 2014 attack on Sony Pictures Entertainment by a group calling themselves the Guardians of Peace (GOP). The attack, which is thought to be one of the most severe in history, saw the release of 40 gigabytes of sensitive company data from computers belonging to Sony Pictures Entertainment. This included multiple yet-to-be-released films, e-mail conversations and personal employee information like social security numbers and salaries. While the exact nature of GOP's complaints about Sony remain unclear, the attackers accused Sony of 'greedy' and criminal business practices in interviews, without elaborating further.

What is interesting to understand about these attacks is that in each case there was a moral or political, rather than monetary motive.